diff --git a/.github/workflows/tofu-apply.yml b/.github/workflows/tofu-apply.yml index 8129360..80fc8a1 100644 --- a/.github/workflows/tofu-apply.yml +++ b/.github/workflows/tofu-apply.yml @@ -49,6 +49,7 @@ jobs: with: label: dsekt-infra variables: | + ssh_user = "${{ vars.TF_SSH_USER }}" hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}" cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}" - ssh_user = "${{ vars.TF_SSH_USER }}" + vault_db_password = "${{ secrets.TF_VAULT_DB_PASSWORD }}" diff --git a/.github/workflows/tofu-plan.yml b/.github/workflows/tofu-plan.yml index 375a70d..05c8f57 100644 --- a/.github/workflows/tofu-plan.yml +++ b/.github/workflows/tofu-plan.yml @@ -42,6 +42,7 @@ jobs: with: label: dsekt-infra variables: | + ssh_user = "${{ vars.TF_SSH_USER }}" hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}" cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}" - ssh_user = "${{ vars.TF_SSH_USER }}" + vault_db_password = "${{ secrets.TF_VAULT_DB_PASSWORD }}" diff --git a/aws-ses.tf b/aws-ses.tf index c424765..0f79de0 100644 --- a/aws-ses.tf +++ b/aws-ses.tf @@ -68,3 +68,18 @@ resource "aws_iam_user_policy_attachment" "mattermost_smtp" { user = aws_iam_user.mattermost_smtp.name policy_arn = aws_iam_policy.send_email.arn } + +# Vaultwarden + +resource "aws_iam_user" "vaultwarden_smtp" { + name = "vaultwarden_smtp" +} + +resource "aws_iam_access_key" "vaultwarden_smtp" { + user = aws_iam_user.vaultwarden_smtp.name +} + +resource "aws_iam_user_policy_attachment" "vaultwarden_smtp" { + user = aws_iam_user.vaultwarden_smtp.name + policy_arn = aws_iam_policy.send_email.arn +} diff --git a/hosts.tf b/hosts.tf index a636b8a..2c95db7 100644 --- a/hosts.tf +++ b/hosts.tf @@ -5,6 +5,7 @@ locals { poseidon = { role = "server", private_ip_addr = "10.83.0.3", server_type = "cx22" } hades = { role = "server", private_ip_addr = "10.83.0.4", server_type = "cx22" } ares = { role = "client", private_ip_addr = "10.83.0.5", server_type = "cx21" } + artemis = { role = "client", private_ip_addr = "10.83.0.6", server_type = "cx22" } } } diff --git a/hosts/artemis.nix b/hosts/artemis.nix new file mode 100644 index 0000000..1c0571f --- /dev/null +++ b/hosts/artemis.nix @@ -0,0 +1,22 @@ +{ profiles, ... }: +{ + imports = with profiles; [ + hetzner-cloud + base + nomad.client + ]; + + services.nomad.settings.client.host_volume = { + "vault/data" = { + path = "/var/lib/nomad-volumes/vault/data"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /var/lib/nomad-volumes 0500 0 0" + "d /var/lib/nomad-volumes/vault/data 0700 0 0" # vaultwarden runs as root + ]; + + # Change this if you want to lose all data on this machine! + system.stateVersion = "24.05"; +} diff --git a/jobs/vaultwarden.nomad.hcl b/jobs/vaultwarden.nomad.hcl new file mode 100644 index 0000000..e4cf74f --- /dev/null +++ b/jobs/vaultwarden.nomad.hcl @@ -0,0 +1,73 @@ +variable "domain_name" { + type = string + default = "vault.datasektionen.se" +} + +job "vault" { + namespace = "vault" + + group "vault" { + network { + port "http" { } + } + + service { + name = "vault" + port = "http" + provider = "nomad" + tags = [ + "traefik.enable=true", + "traefik.http.routers.vault.rule=Host(`${var.domain_name}`)", + "traefik.http.routers.vault.tls.certresolver=default", + ] + } + + volume "data" { + type = "host" + source = "vault/data" + } + + task "vault" { + driver = "docker" + + config { + image = "vaultwarden/server:1.32.0-alpine" + ports = ["http"] + } + + template { + data = <